In this lab we will provision the following components of out infrastructure for dev
environment.
- 2 network security groups
- private virtual network with 2 subnets
Note. AKS and ApplicationGateway are outside of the scope of our labs, but will be covered at the part 2 the workshop...
- Network security groups
- What is Azure Virtual Network?
- ARM template reference for Network Security Group
- ARM template reference for virtual Networks
- ARM 101: Create a Network Security Group
- ARM 101: Virtual Network with two Subnets
- how to define the order for deploying resources in ARM templates
- resourceId() function
Create new ARM template called template.json
and add new resource defining Network Security Group called iac-dev-agw-nsg
with 3 rules:
name: INT-T443-IN-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 443
sourceAddressPrefix: Internet
destinationAddressPrefix: 10.112.16.128/25
access: Allow
priority: 100
direction: Inbound
name: INT-T80-IN-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 80
sourceAddressPrefix: Internet
destinationAddressPrefix: 10.112.16.128/25
access: Allow
priority: 101
direction: Inbound
name: AKS-T443-OUT-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 443
sourceAddressPrefix: 10.112.16.128/25
destinationAddressPrefix: 10.112.0.0/20
access: Allow
priority: 102
direction: Outbound
Hint. Try to use arm-nsg
snippet of Azure Resource Manager (ARM) Tools or check this example ARM 101: Create a Network Security Group for the Network Security Group ARM template syntax.
Validate template
az deployment group validate --template-file template.json -g iac-dev-rg
Deploy ARM template
az deployment group create -g iac-dev-rg --template-file template.json
Add new resource defining Network Security Group called iac-dev-aks-nsg
with 1 rule:
name: AGW-T443-IN-ALLOW
description: ""
protocol: Tcp
sourcePortRange: *
destinationPortRange: 443
sourceAddressPrefix: 10.112.16.128/25
destinationAddressPrefix: 10.112.0.0/20
access: Allow
priority: 100
direction: Inbound
Hint. Try to use arm-nsg
snippet of Azure Resource Manager (ARM) Tools or check this example ARM 101: Create a Network Security Group for the Network Security Group ARM template syntax.
Validate template
az deployment group validate --template-file template.json -g iac-dev-rg
Deploy ARM template
az deployment group create -g iac-dev-rg --template-file template.json
Add new resource defining private Virtual Network called iac-dev-vnet
with 2 subnets and the following specifications:
VNet name: iac-dev-vnet
addressPrefix: 10.112.0.0/16
Subnets:
name: aks-net
addressPrefix: 10.112.0.0/20
networkSecurityGroup.id: iac-dev-aks-nsg
name: agw-net
addressPrefix: 10.112.16.128/25
networkSecurityGroup.id: iac-dev-agw-nsg
Hint. Try to use arm-vnet
snippet of ARM template reference for virtual Networks or check this example ARM 101: Virtual Network with two Subnets for the Virtual Network ARM template syntax.
Our subnet uses network security group that are described at the same template, therefore we should specify nsg resources as dependencies of vnet resource. Read more about how to define the order for deploying resources in ARM templates
To specify nsg
for subnet definition, use networkSecurityGroup
property an set id
field by using resourceId
function. Read more about resourceId function
Validate template
az deployment group validate --template-file template.json -g iac-dev-rg
Deploy ARM template
az deployment group create -g iac-dev-rg --template-file template.json
- You should have one ARM template with 3 resources
- You should see (at least) 3 deployments at the resource groups level